html/HTMLParagraphElement.h:
(WebCore::HTMLParagraphElement::endTagRequirement): Changed to require
an end tag. The explicit closing of one P element by another is now
done in error checking, and therefore takes scope into account, allowing
for <p><button><p>, for example.

html/HTMLParser.cpp:
(WebCore::HTMLParser::HTMLParser): Initialize m_hasPElementInScope.
(WebCore::isScopingTag): Added. Returns whether the given tag represents
a scoping element as defined in HTML 5 section 8.2.3.2.
(WebCore::HTMLParser::formCreateErrorCheck): Added a call to
pCloserCreateErrorCheck().
(WebCore::HTMLParser::ddCreateErrorCheck): Ditto.
(WebCore::HTMLParser::dtCreateErrorCheck): Ditto.
(WebCore::HTMLParser::nestedPCloserCreateErrorCheck): Added for use with
<li>, which both closes P elements in scope and any previous LI.
(WebCore::HTMLParser::pCloserCreateErrorCheck): Added. If there is a P
element in scope, acts as if a </p> tag was seen.
(WebCore::HTMLParser::pCloserStrictCreateErrorCheck): Ditto, but only
in strict mode. Used for <table>.
(WebCore::HTMLParser::getNode): Added entries for tags that close a P
element in scope.
(WebCore::HTMLParser::handleResidualStyleCloseTagAcrossBlocks): Added
code to reset m_hasPElementInScope.
(WebCore::HTMLParser::pushBlock): Added code to update
m_hasPElementInScope.
(WebCore::HTMLParser::popOneBlockCommon): Ditto.
(WebCore::HTMLParser::checkIfHasPElementInScope): Added. Updates
m_hasPElementInScope.

html/HTMLParser.h:
(WebCore::HTMLParser::hasPElementInScope): Added. Calls
checkIfHasPElementInScope() if needed and returns whether there
is a P element in scope.

Update the security context of a document after calling document.open
or document.write. Basically, when a script open()s a document, the
document gains the security context of the script. Our implementation
now matches Firefox 3 on all these tests.

VM/CodeBlock.cpp:
(KJS::CodeBlock::dump): Fixed printf to avoid warnings -- to use %lu we
need to make sure the type is unsigned long.

kjs/object.cpp:
(KJS::Error::create): Eliminated unused error names array, and also put
the strings into the code since there was already a switch statment.
This also avoids having to contemplate a hypothetical access past the
end of the array.

kjs/array_instance.cpp:
(KJS::ArrayInstance::checkConsistency): Added. Empty inline version for when
consistency checks are turned off.
(KJS::ArrayInstance::ArrayInstance): Check consistency after construction.
(KJS::ArrayInstance::~ArrayInstance): Check consistency before destruction.
(KJS::ArrayInstance::put): Check consistency before and after.
(KJS::ArrayInstance::deleteProperty): Ditto.
(KJS::ArrayInstance::setLength): Ditto.
(KJS::compareByStringPairForQSort): Use typedef for clarity.
(KJS::ArrayInstance::sort): Check consistency before and after. Also broke the loop
to set up sorting into two separate passes. Added FIXMEs about various exception
safety issues. Added code to set m_numValuesInVector after sorting.
(KJS::ArrayInstance::compactForSorting): Ditto.

kjs/array_instance.h: Added a definition of an enum for the types of consistency
check and a declaration of the consistency checking function.

editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::moveParagraphs): If we're removing a line
break that consists of a single '\n' in a text node by itself, remove
the whole text node instead of just emptying it out.

editing/Selection.cpp:
(WebCore::Selection::validate): Added a FIXME about canonicalizing
to positions that aren't candidates.

editing/SelectionController.cpp:
(WebCore::SelectionController::nodeWillBeRemoved): When the base and/or
extent are about to be removed but the start and end aren't, change the
base and extent to the start and end, but don't re-validate the selection,
since doing so could move the start and end into the node that is about
to be removed.

It seems like the compiler instantiates a different template version. I.e.,
instead of parseUASheet<char [nnnn]>, it's probably instantiating
parseUASheet<char *>, which then passes 4 or 8 as the size value.

Fixed a crash when a slot connect to QWebPage::unsupportedContent would show a
modal dialog with an event loop.

We have a queued connection to various signals in the QNetworkReply, for which
it can happen that after releasing the QNetworkReply and disconnecting from it
a slot connected to one of the signals may still be called due to a posted
MetaCall event due to the queued connections. This patch removes the posted
events explicitly, fixes the coding style a bit and makes sure the same happens
when abort() is called.

wx build fix. Reorder include dirs so that WebCore/html/HTMLElementFactory.h appears before WebCore/DerivedSources/HTMLElementFactory.h. (See note in commit for more details. This is probably not the right fix, but this will get us buildinguntil the right fix is in place.)

Make the limit test slightly more efficient. It is not clear how much of a win it is,
as the improvement on regexp-dna varies from 2.3% to 0.6% depending on what revision I
apply the patch to. Today, the win on regexp-dna was minimal, but the total win was whopping
0.5%, due to random code generation changes.

pcre/pcre_exec.cpp: (match): Avoid loading a constant on each iteration.

editing/VisiblePosition.cpp:
(WebCore::VisiblePosition::leftVisuallyDistinctCandidate): When falling
back from visual to logical movement, restart at the original position
rather than an intermediate position.
(WebCore::VisiblePosition::rightVisuallyDistinctCandidate): Ditto.

A check for whether a function's caller is eval code accidentally included
the case where the caller's caller is native code. Add a CodeType field to
CodeBlock and use this for the eval caller test instead.

page/inspector/DatabaseQueryView.js:
(WebInspector.DatabaseQueryView.prototype._enterKeyPressed): Use
_executeSqlError as the error callback for executeSql.
(WebInspector.DatabaseQueryView.prototype._queryError): Changed to
only take two parameters. This matches what we'll be passed if
db.transaction fails.
(WebInspector.DatabaseQueryView.prototype._executeSqlError): Added.
Calls through to _queryError.

fast/dom/domListEnumeration-expected.txt: Updated since Element now has 5
new properties. It would be good to rewrite this test so it doesn't have to
be updated every time we add a property to Node or Element.

We should really add some more tests for this. One text-only test each for the
four different sites that handle URLs (cursor image, list style image, fill image,
border image) that were fixed. Currently this covers only the cursor image.

fast/css/invalid-cursor-property-crash.html: Updated test to expect the
url() to be expanded into the URL of the document itself. The text of the test
is now a bit misleading, but it still tests that it's not a crash, and now it
also doubles as a check that url() is handled properly.

webkit/webkitwebhistoryitem.cpp:
(_WebKitWebHistoryItemPrivate::webkit_web_history_item_new): Use HistoryItem::create.
(_WebKitWebHistoryItemPrivate::webkit_web_history_item_new_with_data): Ditto. I also
believe this fixes a memory leak in the old version.